Cisco IOS XR System Security Configuration Guide, Release 3.3
Implementing IPSec Network Security on Cisco IOS XR Software
Downloads: This chapterpdf (PDF - 320.0KB) The complete bookPDF (PDF - 1.83MB) | Feedback

Implementing IPSec Network Security on Cisco IOS XR Software

Table Of Contents

Implementing IPSec Network Security on Cisco IOS XR Software

Contents

Prerequisites for Implementing IPSec Network Security

Restrictions for Implementing IPSec Network Security

Information About Implementing IPSec Network Security

Crypto Profiles

Dynamic Crypto Profiles

Crypto Access Lists

The any Keyword in Crypto Access Lists

Transform Sets

Global Lifetimes for IPSec Security Associations

Checkpointing

Mode Configuration

Extended Authentication (Xauth)

How to Implement IPSec Network Security

Setting Global Lifetimes for IPSec Security Associations

Configuring Checkpointing

Creating Crypto Access Lists

Defining Transform Sets

Defining Group Policy Information for Mode Configuration Push

Configuring Crypto Profiles

Prerequisites

Applying Crypto Profiles to Tunnel Interfaces

Applying Crypto Profiles to Transport

Configuration Examples for Implementing IPSec Network Security

Configuring a Static Profile and Attaching to a Tunnel Interface: Example

Configuring a Dynamic Profile and Attaching to a Tunnel Interface: Example

Configuring a Static Profile and Attaching to Transport: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance


Implementing IPSec Network Security on Cisco IOS XR Software


IP Security (IPSec) provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices ("peers"), such as Cisco routers.

With IPSec, data can be sent across a public network without observation, modification, or spoofing, which enables applications, such as Virtual Private Networks (VPNs), including intranets, extranets, and remote user access.

This module describes the new and revised tasks you need to implement IPSec network security on your Cisco IOS XR network.


Note For a complete description of the IPSec network security commands used in this chapter, see the IPSec Network Security Commands on Cisco IOS XR Software module of the Cisco IOS XR System Security Command Reference publication. To locate documentation of other commands that appear in this chapter, use the command reference master index, or search online.


Feature History for Implementing IPSec Network Security on Cisco IOS XR Software

Release
Modification

Release 2.0

This feature was introduced on the Cisco CRS-1.

Release 3.0

No modification.

Release 3.2

Support was added for the Cisco XR 12000 Series Router.

Release 3.3.0

No modification.


Contents

Prerequisites for Implementing IPSec Network Security

Restrictions for Implementing IPSec Network Security

Information About Implementing IPSec Network Security

How to Implement IPSec Network Security

Configuration Examples for Implementing IPSec Network Security

Additional References

Prerequisites for Implementing IPSec Network Security

The following prerequisites are required to implement IPSec network security:

You must be in a user group associated with a task group that includes the proper task IDs for security commands. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

You must install and activate the Package Installation Envelope (PIE) for the security software.

For detailed information about optional PIE installation, see the Cisco IOS XR Getting Started Guide.

You must configure Internet Key Exchange (IKE), as described in the Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software module.

Restrictions for Implementing IPSec Network Security

IPSec can be applied to unicast IP datagrams only. Because the IPSec Working Group has not yet addressed the issue of group key distribution, IPSec does not work with multicast or broadcast IP datagrams.

If you use Network Address Translation (NAT), you should configure static NAT translations so that IPSec will work properly. In general, NAT translation should occur before the router performs IPSec encapsulation; in other words, IPSec should be working with global addresses.

Information About Implementing IPSec Network Security

To implement IP network security, you should understand the following concepts:

Crypto Profiles

Dynamic Crypto Profiles

Crypto Access Lists

Transform Sets

Global Lifetimes for IPSec Security Associations

Checkpointing

Mode Configuration

Extended Authentication (Xauth)

Crypto Profiles

Crypto profile entries created for IPSec combine the various parts used to set up IPSec security associations (SAs), including the following:

Traffic that should be protected by IPSec (per a crypto access list)

Granularity of the flow to be protected by a set of SAs

IPSec security that should be applied to this traffic (selecting from a list of one or more transform sets)

Other parameters that might be necessary to define an IPSec SA

You apply each crypto profile to a tunnel interface or the crypto transport. All locally sourced IP traffic is evaluated against the applied crypto profile set. If the access control lists (ACLs) specified within the profile match any outbound IP traffic, then the IP traffic is protected by IPSec. The SA is established with the remote peer by IKE.

The policy described in the crypto profile entries is used during the negotiation of SAs. If the local router initiates the negotiation, it uses the policy specified in the static crypto profile entries to create the offer to be sent to the specified IPSec peer. If the IPSec peer initiates the negotiation, the local router checks the policy from the static crypto profile entries and any referenced dynamic crypto profile entries, to decide whether to accept or reject the peer's request (offer).

For IPSec to succeed between two IPSec peers, both peers' crypto profile entries must contain compatible configuration statements.

When two peers try to establish an SA, each must have at least one crypto profile entry that is compatible with one of the other peer's crypto profile entries. For two crypto profile entries to be compatible, they must at least meet the following criteria:

The crypto profile entries must contain compatible crypto access lists. In the case where the responding peer is using dynamic crypto profiles, the entries in the local crypto access list must be "permitted" by the peer's crypto access list.

The crypto profile entries must have at least one transform set in common.


Note Crypto profiles cannot be shared, that is, the same profile cannot be attached to multiple tunnel-IPSec interfaces or an interface and transport mode IPSec.


Dynamic Crypto Profiles

A dynamic crypto profile entry is essentially a crypto profile entry without all the parameters configured. It acts as a policy template in which the missing parameters are later dynamically configured (as the result of an IPSec negotiation) to match a remote peer's requirements. This allows remote peers to exchange IPSec traffic with the router even if the router does not have a crypto profile entry specifically configured to meet all of the remote peer's requirements.

Dynamic crypto profiles are not used by the router to initiate new IPSec SAs with remote peers. Dynamic crypto profiles are used when a remote peer tries to initiate an IPSec SA with the router. Dynamic crypto profiles are also used in evaluating traffic.

If the router accepts the peer's request, at the point that it installs the new IPSec SAs it implicitly installs a temporary crypto profile entry. This entry is filled in with the results of the negotiation. At this point, the router performs normal processing, using this temporary crypto profile entry as a normal entry, even requesting new SAs if the current ones are expiring (based upon the policy specified in the temporary crypto profile entry). After the flow expires (that is, all of the corresponding SAs expire), the temporary crypto profile entry is then removed.

For static crypto profile entries, if outbound traffic matches a permit statement in an access list and the corresponding SA is not yet established, the router will initiate new SAs with the remote peer. In the case of dynamic crypto profile entries, if no SA existed, the traffic would be dropped (because dynamic crypto profiles are not used for initiating new SAs).


Note Use care when using the any keyword in permit entries in dynamic crypto profiles. If it is possible for the traffic covered by such a permit entry to include multicast or broadcast traffic, the access list should include deny entries for the appropriate address range. Access lists should also include deny entries for network and subnet broadcast traffic and for any other traffic that should not be
IPSec-protected.


Crypto Access Lists

Crypto access lists are used to define the IP traffic that is and is not protected by crypto. For example, access lists can be created to protect all IP traffic between Subnet A and Subnet Y or Telnet traffic between Host A and Host B.

The access lists themselves are not specific to IPSec. It is the crypto profile entry referencing the specific access list that defines whether IPSec processing is applied to the traffic matching a permit in the access list.

Crypto access lists associated with IPSec crypto profile entries have four primary functions:

Select outbound traffic to be protected by IPSec (permit = protect).

Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when initiating negotiations for IPSec SAs.

Process inbound traffic to filter and discard traffic that should have been protected by IPSec.

Determine whether to accept requests for IPSec SAs on behalf of the requested data flows when processing IKE negotiation from the IPSec peer. (Negotiation is done only for ipsec-isakmp crypto profile entries.) To be accepted, if the peer initiates the IPSec negotiation, it must specify a data flow that is "permitted" by a crypto access list associated with an ipsec-isakmp crypto profile entry.

If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic.

The any Keyword in Crypto Access Lists

When you create crypto access lists, using the any keyword could cause problems. We discourage the use of the any keyword to specify source or destination addresses.

No concept of default access lists exists for IPSec.

The permit any any statement is strongly discouraged, because it causes all outbound traffic to be protected (and all protected traffic to be sent to the peer specified in the corresponding crypto profile entry) and requires protection for all inbound traffic. Then, all inbound packets that lack IPSec protection are silently dropped, including packets for routing protocols, NTP, echo, echo response, and so on.

Be sure to define which packets to protect. If you must use the any keyword in a permit statement, you must preface that statement with a series of deny statements to filter any traffic (that would otherwise fall within that permit statement) that you do not want to be protected.

Transform Sets

A transform set represents a certain combination of security protocols and algorithms. During the IPSec SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow.

You can specify multiple transform sets and then one or more of these transform sets in a crypto profile entry. The transform set defined in the crypto profile entry is used in the IPSec SA negotiation to protect the data flows specified by that crypto profile entry's access list.

During IPSec SA negotiations with IKE, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and applied to the protected traffic as part of both peers' IPSec SAs.

If you change a transform set definition, the change is applied only to crypto profile entries that reference the transform set. The change will not be applied to existing SAs, but is used in subsequent negotiations to establish new SAs. If you want the new settings to take effect sooner, you can clear all or part of the SA database by using the clear crypto ipsec sa command.

Global Lifetimes for IPSec Security Associations

You can change the global lifetime values that are used when negotiating new IPSec SAs.

Two lifetimes exist: a "timed" lifetime and "traffic-volume" lifetime. An SA expires after the first of these lifetimes is reached. The default lifetimes are 3600 seconds (1 hour) and 4,194,303 kilobytes (10 MBps for 1 hour).

If you change a global lifetime, the new lifetime value is not applied to currently existing SAs, but is used in the negotiation of subsequently established SAs. If you want to use the new values immediately, you can clear all or part of the SA database. See the clear crypto ipsec sa command for more details.

IPSec SAs use one or more shared secret keys. These keys and their SAs time out together.

Assuming that the particular crypto profile entry does not have lifetime values configured, when the router requests new SAs it specifies its global lifetime values in the request to the peer; it uses this value as the lifetime of the new SAs. When the router receives a negotiation request from the peer, it uses the smaller of either the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new SAs.

The SA (and corresponding keys) expire according to whichever comes sooner, either after the number of seconds has passed (specified by the seconds keyword) or amount of traffic in kilobytes is passed (specified by the kilobytes keyword).

A new SA is negotiated before the lifetime threshold of the existing SA is reached, to ensure that a new SA is ready for use when the old one expires. The new SA is negotiated approximately 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever comes first).

If no traffic has passed through the tunnel during the entire life of the SA, a new SA is not negotiated when the lifetime expires. Instead, a new SA is negotiated only when IPSec sees another packet that should be protected.

Checkpointing

IPSec checkpoints SAs in the local database. If an IPSec process restarts, SAs are retrieved from the local database and need not be re-established with remote peers.

IPSec checkpointing is enabled by default. To disable IPSec checkpointing, use the crypto ipsec chkpt-disabled command in global configuration mode.

Mode Configuration

IKE mode configuration, as defined by the Internet Engineering Task Force (IETF), allows a gateway to download an IP address (and other network-level configuration) to the client as part of an IKE negotiation. Using this exchange, the gateway gives IP addresses to the IKE client to be used as an "inner" IP address encapsulated under IPSec. This method provides a known IP address for the client that can be matched against IPSec policy.

Extended Authentication (Xauth)

Extended authentication (Xauth) is a draft RFC based on the IKE protocol. Xauth allows all Cisco IOS XR software authentication, authorization, and accounting (AAA) authentication methods to perform user authentication in a separate phase after the IKE authentication phase 1 exchange. The AAA configuration list name must match the Xauth configuration list name for user authentication to occur.

Xauth does not replace IKE. IKE allows for device and user authentication, which occurs after IKE device authentication. Xauth occurs after IKE authentication phase 1, but before IKE IPSec SA negotiation phase 2.

How to Implement IPSec Network Security

This section contains the following procedures:

Setting Global Lifetimes for IPSec Security Associations (optional)

Configuring Checkpointing (optional)

Creating Crypto Access Lists (required)

Defining Transform Sets (required)

Defining Group Policy Information for Mode Configuration Push (optional)

Configuring Crypto Profiles (required)

Applying Crypto Profiles to Tunnel Interfaces (required)

Applying Crypto Profiles to Transport (required)

Setting Global Lifetimes for IPSec Security Associations

This task sets global lifetimes for IPSec security associations.

SUMMARY STEPS

1. configure

2. crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}

3. end
or
commit

4. clear crypto ipsec sa {sa-id | all}

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 

crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}

Example:

RP/0/RP0/CPU0:router(config)# crypto ipsec security-association lifetime seconds 2700

Changes global lifetime values used when negotiating IPSec SAs.

The seconds seconds keyword and argument change the global "timed" lifetime for IPSec SAs.

This form of the command causes the SA to time out after the specified number of seconds have passed.

The kilobytes kilobytes keyword and argument change the global "traffic-volume" lifetime for IPSec SAs.

This form of the command causes the SA to time out after the specified amount of traffic (in kilobytes) has passed through the IPSec "tunnel" using the SA.

Step 3 

end

or

commit

Example:

RP/0/RP0/CPU0:router(config)# end

or

RP/0/RP0/CPU0:router(config)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting(yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Step 4 

clear cypto ipsec sa {sa-id | all}

Example:

RP/0/RP0/CPU0:router# clear crypto ipsec sa 100

(Optional) Clears existing security associations, which causes any existing SAs to expire immediately.

Future SAs use the new lifetimes.

Any existing SAs expire according to the previously configured lifetimes.

Note Using the clear crypto ipsec sa command with the all keyword clears the full SA database, which clears active security sessions. You may also specify the sa-id argument to clear an SA with a specific ID. For more information, see the clear crypto ipsec sa command.

Configuring Checkpointing

This task configures IPSec checkpointing.

SUMMARY STEPS

1. configure

2. crypto ipsec chkpt-disabled

3. end
or
commit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 

crypto ipsec chkpt-disabled

Example:

RP/0/RP0/CPU0:router(config)# crypto ipsec chkpt-disabled

Disables IPSec checkpointing.

IPSec checkpointing is enabled by default.

To re-enable IPSec checkpointing, use the no crypto ipsec chkpt-disabled command.

Step 3 

end

or

commit

Example:

RP/0/RP0/CPU0:router(config)# end

or

RP/0/RP0/CPU0:router(config)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting(yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Creating Crypto Access Lists

This task creates crypto access lists.

SUMMARY STEPS

1. configure

2. ipv4 access-list access-list-name

3. end
or
commit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 

ipv4 access-list access-list-name

Example:

RP/0/RP0/CPU0:router(config)# ipv4 access-list InternetFilter

RP/0/RP0/CPU0:router(config-ipv4-acl)#

Specifies conditions to determine which IP packets are protected.

Enables or disables crypto for traffic that matches these conditions.

We recommend that you avoid using the any keyword, as described in the "The any Keyword in Crypto Access Lists" section.

Follow with permit and deny statements, as appropriate.

Step 3 

end

or

commit

Example:

RP/0/RP0/CPU0:router(config)# end

or

RP/0/RP0/CPU0:router(config)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting(yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Defining Transform Sets

This task defines a transform set.

SUMMARY STEPS

1. configure

2. crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]

3. end
or
commit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 

crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]

Example:

RP/0/RP0/CPU0:router(config)# crypto ipsec transform-set sample esp-sha-hmac

Defines a transform set.

Complex rules define which entries you can use for the transform arguments. These rules are explained in the command description for the crypto ipsec transform-set command.

Step 3 

end

or

commit

Example:

RP/0/RP0/CPU0:router(config)# end

or

RP/0/RP0/CPU0:router(config)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting(yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Defining Group Policy Information for Mode Configuration Push

Although users can belong to only one group for each connection, they may belong to specific groups with different policy requirements. Thus, users may decide to connect to the client using a different group ID by changing their client profile on the VPN device.

This task defines the group policy attributes that are pushed to the client through mode configuration.

SUMMARY STEPS

1. configure

2. crypto isakmp client configuration group group-name

3. key preshared-key

4. acl acl-name

5. end
or
commit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 

crypto isakmp client configuration group group-name

Example:

RP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group cisco

Specifies which group's policy profile is defined and enters ISAKMP group configuration mode.

If no specific group matches and a default group is defined, users are automatically given the default group's policy.

Step 3 

key preshared-key

Example:

RP/0/RP0/CPU0:router(config-isakmp-group)# key samplekey

Specifies the IKE preshared key for group policy attribute definition.

Note This command must be enabled if the client identifies itself with a preshared key.

Step 4 

acl acl-name

Example:

RP/0/RP0/CPU0:router(config-isakmp-group)# acl group1

(Optional) Configures split tunneling.

The acl-name argument specifies a group of ACL rules that represent protected subnets for split tunneling purposes.

Step 5 

end

or

commit

Example:

RP/0/RP0/CPU0:router(config-isakmp-group)# end

or

RP/0/RP0/CPU0:router(config-isakmp-group)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting(yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Configuring Crypto Profiles

This task configures static or dynamic crypto profiles.

Prerequisites

If you will apply mode configuration to a crypto profile, you must first define the group policy attributes that are pushed to the client by completing the task "Defining Group Policy Information for Mode Configuration Push."

SUMMARY STEPS

1. configure

2. crypto ipsec profile name

3. match acl-name transform-set transform-set-name

4. set pfs {group1 | group2 | group5}

5. set type {static | dynamic [discover]}

6. isakmp authorization list author-list-name

7. client authentication list authen-list-name

8. exit

9. crypto isakmp client configuration group group-name

10. end
or
commit

11. show crypto ipsec sa [sa-id | peer ip-address | profile profile-name] location node-id [detail]

12. show crypto ipsec summary

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 

crypto ipsec profile name

Example:

RP/0/RP0/CPU0:router(config)# crypto ipsec profile new

Creates the IPSec profile and enters profile configuration mode.

Step 3 

match acl-name transform-set transform-set-name

Example:

RP/0/RP0/CPU0:router(config-new)# match sampleacl transform-set tset1

Configures the ACL to use for packet classification, and if the packets need protecting, the transform set to use for IPSec processing.

Step 4 

set pfs {group1 | group2 | group5}

Example:

RP/0/RP0/CPU0:router(config-new)# set pfs group5

(Optional) Specifies that IPSec should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto profile entry, or should demand PFS in requests received from the IPSec peer.

Step 5 

set type {static | dynamic [discover]}

Example:

RP/0/RP0/CPU0:router(config-new)# set type dynamic discover

(Optional) Sets the profile mode type.

Default is static mode, which means the peer is identified in the configuration (tunnel mode).

Dynamic mode lets the profile be dynamic, which means SA negotiation from any authenticated peer is allowed.

Setting the discover option enables IKE tunnel endpoint discovery (TED) handling.

Step 6 

isakmp authorization list author-list-name

Example:

RP/0/RP0/CPU0:router(config-new)# isakmmp authorization list list1

(Optional) Enables IKE querying for group policy when requested by the client.

The author-list-name argument is used by AAA to determine which storage source (local or remote server) is used to find the policy, as defined in the aaa authorization command for the network keyword.

Step 7 

client authentication list authen-list-name

Example:

RP/0/RP0/CPU0:router(config-new)# client authentication list list2

(Optional) Enforces extended authentication (Xauth).

The authen-list-name argument is used to determine the appropriate username and password storage location (local or remote server), as defined in the aaa authentication command for the login keyword.

Step 8 

exit

Example:

RP/0/RP0/CPU0:router(config-new)# exit

Exits profile configuration mode.

Step 9 

crypto isakmp client configuration group group-name

Example:

RP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group group1

(Optional) Includes the configuration of a local group profile on the router.

Step 10 

end

or

commit

Example:

RP/0/RP0/CPU0:router(config)# end

or

RP/0/RP0/CPU0:router(config)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting(yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Step 11 

show crypto ipsec sa [sa-id | peer ip-address | profile profile-name] location node-id [detail]

Example:

RP/0/RP0/CPU0:router# show crypto ipsec sa peer 172.19.72.120

(Optional) Displays SA information based on the rack/slot/instance location.

Use the optional detail keyword to display additional dynamic SA information.

Step 12 

show crypto ipsec summary

Example:

RP/0/RP0/CPU0:router# show crypto ipsec summary

(Optional) Displays IPSec summary information.

Applying Crypto Profiles to Tunnel Interfaces

This task applies a crypto profile to a tunnel interface.

You need to apply a crypto profile to each tunnel interface through which IPSec traffic flows. Applying the crypto profile set to a tunnel interface instructs the router to evaluate all the interface's traffic against the crypto profile set and to use the specified policy during connection or SA negotiation on behalf of traffic to be protected by crypto.

SUMMARY STEPS

1. configure

2. interface tunnel-ipsec interface-number

3. profile profile-name

4. tunnel source ip-address

5. tunnel destination ip-address

6. end
or
commit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure interface

Enters global configuration mode.

Step 2 

interface tunnel-ipsec interface-number

Example:

RP/0/RP0/CPU0:router(config)# interface tunnel-ipsec 0

Identifies the IPSec interface to which the crypto profile is attached.

Step 3 

profile profile-name

Example:

RP/0/RP0/CPU0:router(config-if)# profile sample1

Specifies the crypto profile to use in IPSec processing.

The same crypto profile cannot be shared in different IPSec modes.

Step 4 

tunnel source ip-address

Example:

RP/0/RP0/CPU0:router(config-if)# tunnel source 10.0.0.2

Specifies the tunnel source IP address.

This command is required for both static and dynamic profiles.

Step 5 

tunnel destination ip-address

Example:

RP/0/RP0/CPU0:router(config-if)# tunnel destination 10.0.0.5

Specifies the tunnel destination IP address.

This command is not required if the profile is dynamic.

Step 6 

end

or

commit

Example:

RP/0/RP0/CPU0:router(config-if)# end

or

RP/0/RP0/CPU0:router(config-if)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting(yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Applying Crypto Profiles to Transport

This task applies a crypto profile to transport.

You need to apply a crypto profile to transport mode to make the profile active. Applying the crypto profile set to transport instructs the router to evaluate all of the locally sourced traffic against the crypto profile set and use the specified policy during connection or SA negotiation on behalf of traffic to be protected by crypto.

SUMMARY STEPS

1. configure

2. crypto ipsec transport

3. profile profile-name

4. end
or
commit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 

crypto ipsec transport

Example:

RP/0/RP0/CPU0:router(config)# crypto ipsec transport

Enters IPSec transport configuration mode.

In the IPSec transport configuration mode, IPSec protects the Upper Layer Protocol (ULP) header and the payload. IPSec transport configuration mode is used when security is desired end to end. That is, security endpoints are the same as host endpoints.

Step 3 

profile profile-name

Example:

RP/0/RP0/CPU0:router(config-transport)# profile sample2

Specifies the crypto profile to use in IPSec processing.

Step 4 

end

or

commit

Example:

RP/0/RP0/CPU0:router(config-transport)# end

or

RP/0/RP0/CPU0:router(config-transport)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting(yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Configuration Examples for Implementing IPSec Network Security

This section provides the following configuration examples:

Configuring a Static Profile and Attaching to a Tunnel Interface: Example

Configuring a Dynamic Profile and Attaching to a Tunnel Interface: Example

Configuring a Static Profile and Attaching to Transport: Example

Configuring a Static Profile and Attaching to a Tunnel Interface: Example

The following example shows a minimal IPSec configuration where a static crypto profile is created and attached to a tunnel interface.

An IPSec access list named sample1 defines which traffic to protect:

ipv4 access-list sample1 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255
 
   

A transform set defines how the traffic is protected. In this example, transform set myset1 uses Data Encryption Standard (DES) encryption and Secure Hash Algorithm (SHA) for data packet authentication:

ipsec transform-set myset1 esp-des esp-sha
 
   

Another transform set example is myset2, which uses 3DES encryption and the Message Digest 5 (MD5) (Hashed Message Authentication Code [HMAC] variant) algorithm for data packet authentication:

crypto ipsec transform-set myset2 esp-3des esp-md5-hmac
 
   

A crypto profile named toRemoteSite is created and joins the IPSec access list and transform set:

crypto ipsec profile toRemoteSite
	match sample1 transform-set myset1
	end
 
   

The toRemoteSite crypto profile is then applied to a tunnel interface:

interface tunnel-ipsec0
	profile toRemoteSite
	tunnel source 10.0.0.2
	tunnel destination 10.0.0.5

Configuring a Dynamic Profile and Attaching to a Tunnel Interface: Example

The following example shows a minimal IPSec configuration where a dynamic crypto profile is created and attached to a tunnel interface.

An IPSec access list named sample2 defines which traffic to protect:

ipv4 access-list sample2 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255
 
   

A transform set defines how the traffic is protected. In this example, transform set myset2 uses DES encryption and SHA for data packet authentication:

crypto ipsec transform-set myset2 esp-des esp-sha
 
   

Another transform set example is myset3, which uses 3DES encryption and MD5 (HMAC variant) for data packet authentication:

crypto ipsec transform-set myset3 esp-3des esp-md5-hmac
 
   

A dynamic crypto profile named toRemoteSite is created and joins the IPSec access list and transform set:

crypto ipsec profile toRemoteSite
	match sample2 transform-set myset3
	set type dynamic discover
	end
 
   

The toRemoteSite profile is applied to a tunnel interface:

interface tunnel-ipsec0
	profile toRemoteSite
	tunnel source 10.0.0.2
 
   

The tunnel destination is not required when the profile is dynamic.

Configuring a Static Profile and Attaching to Transport: Example

The following example shows a minimal IPSec configuration in which a static profile is created and attached to a transport.

An IPSec access list named sample3 defines which traffic to protect:

ipv4 access-list sample3 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255
 
   

A transform set defines how the traffic is protected. In this example, transform set myset1 uses DES encryption and SHA for data packet authentication:

crypto ipsec transform-set myset1 esp-des esp-sha
 
   

Another transform set example is myset2, which uses 3DES encryption and the MD5 (HMAC variant) for data packet authentication:

crypto ipsec transform-set myset2 esp-3des esp-md5-hmac
 
   

A crypto profile named toRemoteSite is created and joins the IPSec access list and transform set:

crypto ipsec profile toRemoteSite
	match sample3 transform-set myset2
	end
 
   

The toRemoteSite profile is applied to a transport:

crypto ipsec transport
	profile toRemoteSite
	end

Additional References

The following sections provide references related to implementing IPSec network security.

Related Documents

Related Topic
Document Title

IPSec network security commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

IPSec Network Security Commands on Cisco IOS XR Software


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

There are no applicable MIBs for this module.

To locate and download MIBs for selected platforms using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL:

http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


RFCs

RFCs
Title

RFC 2401

Security Architecture for the Internet Protocol

RFC 2402

IP Authentication Header

RFC 2403

The Use of HMAC-MD5-96 within ESP and AH

RFC 2404

The Use of HMAC-SHA-1-96 within ESP and AH

RFC 2405

The ESP DES-CBC Cipher Algorithm With Explicit IV

RFC 2406

IP Encapsulating Security Payload (ESP)

RFC 2407

The Internet IP Security Domain of Interpretation for ISAKMP

RFC 2408

Internet Security Association and Key Management Protocol (ISAKMP)

RFC 2409

The Internet Key Exchange (IKE)


Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport